Does AMD want their own Nightmare-Eclipse or what. And that researcher went rogue because MS has the habit to not credit researchers and claiming that vulnerabilities are not vulnerabilities while quietly fixing them.
I guess nobody’s reporting security issues to AMD anymore then. Have fun guys.
Y’all really need to read past the headline:
the bug that Paul found seemingly wouldn’t be triggered anyway, as the relevant section of the code wasn’t being called to begin with
I guess it’s one of those “justifiable but unwise” sort of things. If your company is doing a bug bounty program to stay on top of security vulnerabilities, what you don’t want is to create the perception that the work of devs who look for these vulnerabilities isn’t appreciated, for example, by skimping on bounties over technicalities.
Paying the 10k doesn’t ruin the company and allows them to fix a section of code that may become a vulnerability in the future. Not paying the 10k saves them 10k at the price of the devs’ trust that keeps this program effective. From a financial point of view, this is some very poor decision making.
The woman in the stock photo looks like she’s about to pilot an X-Wing.
Researcher commenting on the patch:
he remarks that the software only checks the validity of the downloaded file using the ancient CRC32 hash that isn’t considered cryptographically secure anymore
I have to respect the researcher for his incredibly charitable wording here. CRC32 is not even remotely crypto. That’s never been its purpose, and using it for digital signing is patently insane!
I fear I would have had a much shorter temper after what he’s been through, and yet here he is keeping his cool and his criticism constructive. Good on him.
Do you really need signing if you’re using HTTPS though?
Excellent way to encourage responsible disclosure.
/s
They should ask Microsoft about those current troubles.
Either you pay bug bounties, or crypto locker ransoms.
Every major company is fucking evil
We let the psychopaths get their way
Psychopaths naturally rise to the top in environments like large corporations, because of their ability to manipulate people and not give a fuck about hurting others.
And stupid
Holy crap. I’d say not to buy AMD if you value your security (i have an AMD CPU and the Deck too). You already know the next vulnerability they’re going to be the last ones to find out. In the news, probably.
Under Linux, AMD GPU is the only sane solution tho, due to open source drivers. And Intel CPUs have history of cookin hard.
It’s not. RISC-V and ARM exist. You can buy laptops based on either of these architectures for a very reasonable price, compared to Intel and AMD’s x86 offerings.
Of course, that means no AAA gaming, for the most part at least. But then again, who even plays AAA games these days?
But then again, who even plays AAA games these days?
Err many people? And Linux gaming is on the rise too.
(Serious) is there really a reasonably priced arm laptop? Which one? I only see apple silicon and some over 2k dollars laptops. Does it have good battery life and performance?
Consumer ARM hardware mostly needs customized images for each board. Plus, depending on your CPU manufacturer you’ll be stuck on an ancient kernel version to get full functionality.
AMD now with their security stuff and Intel with the crashing and quick degradation stuff a while ago. Sigh.
If anyone could provide an AMD email to ask for a statement concerning this issue, that would be nice.
I don’t think a statement is really needed here, this wasn’t a vulnerability, the code was never called. Even if the code were called, the $10,000 bounty is for a different type of bug entirely too
Researches should publish after 90 days. That would solve the problem.
